[21565] in bugtraq
Re: MALWARE HOAX FW: Microsoft Security Bulletin MS01-039
daemon@ATHENA.MIT.EDU (Nick FitzGerald)
Tue Jul 17 11:59:49 2001
Message-Id: <200107171132.XAA03254@fep4-orange.clear.net.nz>
From: "Nick FitzGerald" <nick@virus-l.demon.co.uk>
To: focus-virus@securityfocus.com, bugtraq@securityfocus.com
Date: Tue, 17 Jul 2001 23:33:17 +1200
MIME-Version: 1.0
Content-type: text/plain; charset=US-ASCII
Content-transfer-encoding: 7BIT
Reply-To: nick@virus-l.demon.co.uk
Cc: "Robert D. Hughes" <rob@robhughes.com>, <abuse@tripod.com>
In-reply-to: <B95B566BD245174196CA4EE29E5818834518@robhughes.com>
"Robert D. Hughes" wrote:
> First of all, here's the headers:
<<snip>>
> Now, they've obviously taken an actual MS bulleting and used the text, right
> down including a pgp key and they've incremented it from the previous
> bulletin. The first thing I noticed is that the entire message is
> double-spaced. Not a lot, but it was different from every other bulletin I've
> gotten. The obvious give away is the address they've used to for the fix, as
> well specifying a particular file to download. The bulletin page of course is
> 404.
Apart from the double-spacing and the 404 error on the non-existant
security bulletin, this same trick was used a few days (week?) ago
to advertise/distribute a (then) new Win32/Leave variant (that worm
that spreads via SubSeven machines that the NIPC were so worked up
about a couple of weeks back).
> The netblock is owned by LYCOS in Europe and points to a tripod page, with an
> att.net account used to send the mail, and relevant parties have been cc'ed
> as well. And apparently the user name associated with the site is hicagogppr.
>
> From my limited experience, I can tell very little about the file other than
> it appears to connect to a remote web site. This comes from running strings
> against the file. It also appears to go after napster and icq accounts, but I
> can't tell what else it does. I think the most important thing is that
> scanning it with the latest virus signatures from Norton comes up clean, so a
> user would not be notified that they are running an infected file.
>
> If someone with the knowledge and experience will, please do a full analysis
> on this and let me know what it is. I'm pretty much a rank newbie at this, as
> you can probably tell ;) I searched the bugtraq archives, but didn't find
> anything on this, so if its known, I apologize.
<<snip>>
Sounds like a new Leave variant. Please send a copy to your
preferred antivirus vendor. To possibly save you the search time,
the sample submission addresses of the better-known developers are:
Command Software <virus@commandcom.com>
Computer Associates (US) <virus@cai.com>
Computer Associates (Vet/IPE) <ipevirus@vet.com.au>
DialogueScience (Dr.Web) <Antivir@dials.ru>
Eset (NOD32) <trnka@eset.sk>
F-Secure Corp. <samples@f-secure.com>
Frisk Software <viruslab@complex.is>
Kaspersky Labs <newvirus@avp.ru>
Network Associates (US) <virus_research@nai.com>
Norman (NVC) <analysis@norman.no>
Sophos Plc. <support@sophos.com>
Symantec <avsubmit@symantec.com>
Trend Micro <virus_doctor@trendmicro.com>
--
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854
